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1. 


PREFACE 


The  algorithm  for  the  Data  Encryption  Standard  (DES) 
was  developed  by  the  International  Business  Machines  Cor- 
poration (IBM) . It  was  adopted  by  the  National  Bureau  of 
Standards  (NBS)  as  a Federal  Information  Processing  Standard 
(FIPS)  in  1977.  FIPS  Publication  #46  [FIPS  46]  specifies 
the  DES  algorithm  which  is  to  be  used  within  the  Federal 
government  for  the  cryptographic  protection  of  sensitive, 
but  unclassified,  computer  data.  A number  of  techniques  for 
incorporating  this  algorithm  into  a cryptographic  system 
have  been  identified  by  both  Federal  and  private  organiza- 
tions. These  implementation  techniques,  external  to  the  DES 
algorithm,  have  come  to  be  called  the  "modes  of  operation." 
The  Institute  for  Computer  Sciences  and  Technology  within 
the  NBS  is  proposing  a Modes  of  Operation  FIPS  for  the  DES. 
The  purpose  of  this  FIPS  will  be  to  describe  several  tech- 
niques for  using  the  DES  with  sufficient  specificity  as  to 
facilitate  the  interoperability  of  equipment  using  these 
modes . 


Four  implementation  techniques  using  the  DES  are 
described  in  this  document:  the  electronic  codebook  (ECB) 
mode,  the  cipher  block  chaining  (CBC)  mode,  the  cipher  feed- 
back (CFB)  mode,  and  the  authentication-only  mode.  ECB  is  a 
direct  implementation  of  the  IBM  algorithm  (U.S.  patents 
#3796830  and  #3798359);  IBM  also  developed  and  patented 
(#4078152)  the  basic  concept  of  the  CBC  mode.  The  Federal 
Reserve  Board,  with  the  technical  assistance  of  the  National 
Security  Agency,  adopted  an  8-bit  CFB  technique  for  experi- 
mental use  on  their  nationwide  data  communication  network. 
The  authentication-only  mode  is  really  an  application  of  CBC 
or  CFB,  but  it  is  deemed  sufficiently  important  to  be  in- 
cluded in  a standard.  The  proposed  FIPS  is  limited  to  these 
four  modes  because  they  are  the  only  techniques  recommended 
at  this  time  in  encryption  standards  being  developed  under 
the  auspices  of  the  Federal  Telecommunication  Standards  Com- 
mittee . 

The  purpose  of  this  NBS  Internal  Report  is  to  provide 
an  expedient  vehicle  for  the  dissemination  of  the  technical 
information  being  considered  for  the  proposed  Modes  of 
Operation  FIPS. 

The  proposed  FIPS  will  mandate  only  those  characteris- 
tics necessary  to  specify  the  mechanics  of  implementing  the 
modes  of  operation.  Requirements  in  other  concomitant  areas 
which  affect  the  security  of  a cryptographic  system,  e.g., 
key  management  or  cryptographic  synchronization,  are  not  ad- 
dressed in  this  document.  They  may  be  defined  in  other 
security  or  application  standards. 
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The  American  National  Standards  Institute  has  approved 
the  creation  of  a technical  committee  (X3T1)  in  order  to  be- 
gin drafting  a national  standard  addressing  the  modes  of 
operation  for  their  Data  Encryption  Algorithm  (DEA) . The 
Federal  DES  and  the  ANSI  DEA  use  the  same  cryptographic  al- 
gorithm . 
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2. 


INTRODUCTION 


Data  to  be  cryptographically  protected  is  called  plain 
text . Encryption  is  the  process  of  transforming  plain  text 
into  cipher  text  ; decryption  is  the  inverse  mapping  of  ci- 
pher text  to  plain  text.  The  encryption  (E)  of  plain  text 
(P)  under  a key  (K)  into  cipher  text  (C)  is  denoted  by  E(K, 
P)  = C.  The  letter  D will  represent  the  inverse  transforma- 
tion, so  that  decryption  under  K may  be  written  as  D(K,  C)  = 
D {K , E(K,  P)  } = P. 


Binary  data  may  be  cryptographically  protected  using 
the  Data  Encryption  Standard  (DES)  [FIPS  46]  in  conjunction 
with  a cryptographic  variable.  A cryptographic  variable  for 
the  DES  consists  of  sixty-four  binary  digits  of  which 
fifty-six  bits  are  used  directly  as  a key  governing  the  al- 
gorithm. The  remaining  eight  bits  are  employed  as  an  odd 
parity  check.  A cryptographic  period  (or  key  period)  is 
that  interval  of  DES  operation  during  which  the  same  key  is 
used  between  two  or  more  cryptographic  entities.  Since  the 
DES  has  been  publicly  defined,  cryptographic  security 
depends  upon  the  security  provided  for  the  cryptographic 
variable  — both  the  key  and  its  parity  bits.  Given  the  ci- 
pher text  and  the  key,  the  plain  text  can  be  recovered  easi- 
ly. 


Mathematically,  the  DES  maps  a 64-dimensional  input 
space  over  the  field  {0,1}  onto  itself.  The  number  of  ele- 
ments in  this  space  is  two  raised  to  the  64th  power  (2**64), 
i.e.,  it  consists  of  all  possible  64-bit  vectors.  The  cryp- 
tographic key  space  provides  the  user  a choice  of  any  one  of 
2**56  invertible  (one-to-one  and  onto)  mappings.  A specific 
DES  input  value  can  be  mapped  to  one  of  2**56  output  values 
--  the  specific  value  depends  upon  the  particular  56-bit  key 
chosen.  The  DES  mapping  has  a complementary  effect  in  that 
if  E (K , P)  = C then  E(K',P')  = C*  or  equivalently  E (K , P) 
= { E (K ' , P')}'  where  the  apostrophe  represents  binary  com- 
plementation . 


FIGURE  1. 
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FIGURE  2.  THE  OES  TRANSFORMATION 


USING  THIS  OUTPUT  AS  THE  NEW  INPUT, 
STEP  #1  IS  REPEATED  15  MORE  TIMES 


f = CIPHER  FUNCTION 
KS  = KEY  SCHEDULE  FUNCTION 
IP*  = INVERSE  OF  IP 
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The  DES  is  a nonlinear,  iterative,  block,  product  ci- 
pher. This  product  cipher  mixes  transposition  and  substitu- 
tion operations  in  an  alternating  manner  in  order  to  be  most 
effective.  Because  this  algorithm  maps  a 64-bit  input  block 
into  sixty-four  output  bits,  the  DES  is  classified  as  a 
block  cipher.  Iterative  refers  to  the  use  of  the  output  of 
an  operation  as  the  input  for  another  iteration  or  round  of 
the  same  procedure.  Nonlinearity  is  introduced  into  the  al- 
gorithm through  eight  S (substitution)  boxes,  each  of  which 
maps  six  input  bits  into  four  output  bits.  A block  diagram 
of  the  encryption  operation  is  illustrated  in  figure  #2. 
The  cipher  function,  f,  and  the  key  schedule  function  are 
described  in  detail  in  [FIPS  46]. 

The  DES  input  and  output  (I/O)  blocks  are  sixty-four 
bit  vectors  with  the  least  significant  bit  (LSB  = 2**0)  de- 
fined to  be  on  the  right  and  the  most  significant  bit  (MSB  = 
2**63)  on  the  left.  The  bits  of  a DES  I/O  block  are  num- 
bered from  left  to  right:  (1,  2,  . . . , 64).  When  a 64-bit 
cryptographic  variable  is  entered  into  the  DES  key  schedule, 
its  format  in  the  key  input  block  is:  (1 , 2, . . . , 7 , PI , 8 , 9 , . . . , 
14 , P2, 15 49 , P7 , 50 , 51 ,..., 56 , P8 ) , where  {Pi  | i=l, 
2,..., 8}  are  odd  parity  bits  computed  on  the  preceding  seven 
key  bits. 

There  are  two  general  techniques  for  incorporating  the 
DES  into  a cryptographic  system:  a block  cipher  and  an  addi- 
tive or  stream  cipher.  In  both  modes  each  bit  of  cipher 
text  is  a function  of  every  bit  of  the  cryptographic  key. 
In  a block  cipher,  the  DES  input  block  is  a function  of  the 
plain  text  to  be  encrypted  and  the  DES  output  block  defines 
the  cipher  text.  In  an  additive  cipher  implementation,  a 
pseudorandom  binary  sequence  is  generated  using  DES  output 
blocks.  The  binary  exclusive-OR  operation,  represented  by  a 
circled  plus  sign,  combines  this  pseudorandom  sequence  with 
the  plain  text  to  define  the  cipher  text.  This  operation  is 
equivalent  to  bit-by-bit,  modulo-2  addition  (without  carry). 
Since  the  exclusive-OR  operator  is  its  own  inverse  over 
{0,1},  the  same  pseudorandom  binary  stream,  say  0,  is  used 
for  both  the  encryption  of  plain  text,  P,  and  the  decryption 
of  cipher  text,  C;  i.e.,  P ® 0 = C and  C © 0 = P. 
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3.  ELECTRONIC  CODEBOOK  (ECB)  MODE 


The  most  basic  mode  of  operation  for  the  DES  is  the 
electronic  codebook  (ECB).  The  analogy  to  a codebook  arises 
because  the  same  plain  text  block  always  pi 
cipher  text  block  for  a given  cryptograph 
suming  that  a manageable  subset  of  the  DES 
used,  a list  (or  codebook)  of  corresponding 
text  pairs  could  be  constructed. 

In  ECB  encryption,  the  plain  text  da 
D64)  directly  defines  the  DES  input  block 
The  input  block  is  processed  through  a DES 
been  loaded  with  the  appropriate  crypt 
The  resultant  output  block  (01 , 02 , . . . , 064 ) 
as  cipher  text  (Cl , C2 , . . . , C64 ) . 
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The  ECB  decryption  process  is  the  same  as  ECB  encryp- 
tion except  that  the  DES  key  schedule  selection  is  reversed. 
In  general,  the  DES  key  schedule  function  generates  a new 
48-bit  vector  from  the  56-bit  cryptographic  key  for  each  of 
the  sixteen  rounds  of  the  DES  algorithm.  For  a given  cryp- 
tographic variable,  let  the  sixteen  key 
vectors  be  denoted  by  {KS1,  KS2,  . . . , 
corresponding  decryption  process  will 
operation  as  encryption  (figure  #2),  but 
. . , KS 1 } will  be  successively  invoked. 


schedule  encryption 
KS16 } . Then,  the 
use  the  same  basic 
now  { K S 1 6 , KS 1 5 , 

An  example  of  ECB 


encryption  and  decryption  may  be  found  in  Appendix  A. 


Since  each  bit  of  an  ECB  output  block  is  a complex 
function  of  every  bit  in  the  input  block  and  the  crypto- 
graphic key,  a single  bit  error  in  a cipher  text  block  will 
cause  the  decrypted  plain  text  block  to  have  an  average  er- 
ror rate  of  fifty  percent.  However,  an  error  in  one  ECB  ci- 
pher text  block  will  not  affect  the  decryption  of  other 
blocks,  i.e.,  there  is  no  error  extension  between  ECB 
blocks.  An  example  of  the  effect  of  cipher  text  errors  on 
ECB  operations  may  be  found  in  Appendix  B. 


If  block  synchronization  is  lost  (e.g.,  a bit  slip), 
then  ECB  cryptographic  synchronization  will  also  be  lost  un- 
til correct  block  boundaries  are  re-established. 


Since  the  ECB  mode  is  a 64-bit  block  cipher,  an  ECB 
device  must  encrypt  information  in  integral  multiples  of 
sixty-four  bits.  If  a user  has  less  than  sixty-four  bits  to 
encrypt,  then  the  least  significant  bits  of  the  unused  por- 
tion of  the  input  data  block  should  be  padded  with  random  or 
pseudorandom  binary  digits  prior  to  ECB  encryption.  The 
corresponding  decrypting  device  will  have  to  know  when  and 
to  what  extent  padding  has  taken  place  so  that  these  padding 
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digits  can  be  ignored  or  discarded  after  decryption. 

A potentially  critical  weakness  of  the  ECB  mode  is  the 
fact  that  the  same  plain  text  always  produces  the  same  ci- 
pher text  under  a fixed  key.  Thus,  the  compromise  of  the 
plain  text  underlying  any  cipher  text  block  results  in  the 
compromise  of  all  repetitions  of  this  same  text  for  the 
remainder  of  the  cryptographic  period.  This  is  sometimes 
referred  to  as  a codebook  analysis  problem. 


FIGURE  3:  ELECTRONIC  CODEBOOK  (ECB)  MODE 


ECB  ENCRYPTION 

ECB  DECRYPTION 

PLAIN  TEXT= 
(Dl,  D2,  D64) 

CIPHER  TEXT  = 
(Cl,  C2,  C64) 

DES  ALGORITHM 
KEY  ENCRYPT 

DES  ALGORITHM 
KEY  DECRYPT 

CIPHER  TEXT  = 
(Cl,  C2 C64) 

PLAIN  TEXT= 
(Dl,  D2 D64) 
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4. 


CIPHER  BLOCK  CHAINING  (CBC) 


MODE 


CBC  is  a block  cipher  in  which  the  plain  text  is 
excl us i ve-ORed  with  a block  of  pseudorandom  data  prior  to 
being  processed  through  a DES  device  (see  figure  #4).  This 
technique  greatly  reduces  the  codebook  analysis  problem  as- 
sociated with  the  ECB  mode , and  also  provides  an  error  ex- 
tension characteristic  which  is  valuable  in  protecting 
against  fraudulent  data  alteration. 

In  order  to  commence  CBC  encryption,  the  first  DES  in- 
put block  is  formed  by  exclusive-ORing  the  first  data  block 
with  a 64-bit  initialization  vector  (IV),  i.e.,  (11,12,..., 
164)  = (IV10D1,  IV20D2,  . . . , IV640D64).  This  initial  CBC 
input  block  is  processed  through  a DES  device  producing  a 
64-bit  DES  output  block  which  defines  the  cipher  text, 
(01 , 02 , . . . , 064 ) = (Cl , C2 , . . . , C64 ) . Then  these  first  64  bits 
of  cipher  text  are  excl us i ve-ORed  with  the  second  plain  text 
data  block  in  order  to  construct  the  second  DES  input  block. 
The  next  DES  operation  produces  the  second  cipher  text 
block.  This  encryption  process  continues  to  "chain"  succes- 
sive cipher  and  plain  text  blocks  together  until  the  last 
plain  text  block  in  the  message  is  encrypted.  The  DES  input 
block  at  time  t is  the  bit-by-bit,  mod-2  sum  of  the  plain 
text  at  time  t and  the  cipher  text  at  time  t-1  for  t>l  or 
the  IV  at  t=l.  Appendix  A contains  an  example  of  the  CBC 
encryption  and  decryption  of  ASCII  characters  and  Appendix  C 
has  a flow  chart  illustrating  the  basic  CBC  logic. 


For  CBC  decryption,  the  first  cipher  text  block  is  pro- 
cessed through  a DES  device  using  the  decrypt  operation, 
i.e.,  the  key  schedule  vectors  are  invoked  in 
order  from  the  encryption  process.  The  firsl 
is  exclusive-ORed  with  the  CBC  IV  producing  the  first 
text  block.  The  second  cipher  text  block  i 
into  the  DES  and  the  resultant  output  block  is 
ORed  with  the  first  cipher  text  block  in  or 
the  second  plain  text  block.  The  CBC  decr^ 
continues  to  exclusive-OR  the  cipher  text  block  at 
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FIGURE  4:  CIPHER  BLOCK  CHAINING  (CBC)  MODE 


TIME=1 


TIME=2 


TIME=N 


LEGEND 

Di=DATA  AT  TIME  i 
li  =INPUT  AT  TIME  i 
Ci  =CIPHER  ATTIMEi 


Oi  = OUTPUT  AT  TIME  i 

IV  = INITIALIZATION  VECTOR 

® EXCLUSIVE-OR 
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The  security  of  a CBC  implementation  depends,  among 
other  things,  upon  the  management  of  CBC  initialization  vec- 
tors. Some  recommendations  in  this  area  are  provided  in  Ap- 
pendix E. 


The  CBC  mode  reproduces  the  same  cipher  text  whenever 
the  same  plain  text  is  encrypted  under  a fixed  key  and  IV. 
In  the  ECB  mode,  the  cipher  text  repetition  characteristic 
occurs  at  the  block  level;  in  the  CBC  mode,  cipher  text  re- 
petition is  at  the  message  level.  If  CBC  users  are  con- 
cerned about  this  potential  security  problem,  then  their  CBC 
systems  should  incorporate  a unique  identifier  (e.g.,  a 
one-up  counter)  at  the  beginning  of  each  CBC  message  in  or- 
der to  insure  unique  cipher  text  within  a cryptographic 
period . 


Since  the  CBC  mode  is  a 64-bit  block  cipher,  it  must 
operate  on  a 64-bit  input  block  with  each  CBC  operation. 
Thus,  partial  data  blocks  (<  64  bits)  will  require  special 
handling.  For  example,  a partial  data  block  may  be  padded 
in  its  least  significant  bit  positions  with  arbitrary  binary 
digits  whenever  the  application  environment  can  tolerate  the 
overhead.  The  decrypting  CBC  device  will  have  to  know  when 
and  to  what  extent  padding  has  occurred.  This  can  be  accom- 
plished explicitly,  e.g.,  using  a control  indicator,  or  im- 
plicitly, e.g.,  using  constant  length  transactions.  Another 
suggestion  for  handling  partial  data  blocks  is  to  switch  to 
a 1-bit  cipher  feedback  (CFB)  mode  in  order  to  process  the 
final  k < 64  bits  of  a message.  The  last  CBC  cipher  block 
would  be  used  as  an  IV  to  initiate  this  CFB  process.  When 
using  this  scheme,  the  last  bit  of  the  message  should  not 
contain  sensitive  information. 


In  the  CBC  mode-,  one  or  more  bit  errors  within  a single 
cipher  text  block  will  affect  the  decryption  of  two  blocks 
--  the  block  in  which  the  error  occurs  and  the  succeeding 
block.  If  the  errors  occur  in  the  n-th  cipher  text  block, 
then  each  bit  of  the  n-th  plain  text  block  will  have  an 
average  error  rate  of  about  fifty  percent.  The  (n+l)st 
plain  text  block  will  have  only  those  bits  in  error  which 
correspond  directly  to  the  cipher  text  bits  in  error.  Of 
course,  if  errors  occur  in  the  last  cipher  text  block,  then 
the  last  plain  text  block  is  the  only  one  affected.  An  ex- 
ample of  the  effect  of  cipher  text  errors  in  CBC  operations 
may  be  found  in  Appendix  B. 

If  CBC  block  synchronization  is  lost,  then  CBC  crypto- 
graphic synchronization  will  also  be  lost.  However,  crypto- 
graphic synchronization  will  automatically  be  reacquired 
sixty-four  bits  after  block  boundaries  have  been  esta- 
bl ished . 
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5.  CIPHER  FEEDBACK  (CFB)  MODE 


The  CFB  mode  is  an  additive  cipher  technique  in  which 
the  DES  is  used  to  generate  a pseudorandom  binary  stream. 
This  stream  is  exclusive-ORed  with  the  binary  plain  text:  to 
form  the  cipher  text.  The  cipher  text  is  fed  back  to  form 
the  next  DES  input  block.  The  pseudorandom  binary  stream  is 
sometimes  referred  to  as  a key  stream,  and  the  DES  is  then 
called  a key  generator  or  KG.  However,  this  terminology 
will  not  be  used  in  order  to  avoid  confusion  with  the  cryp- 
tographic key. 

One  through  sixty-four  bit  CFB  operation  may  be  used. 
A 64-bit  initialization  vector  (IV)  or  starter  input  block 
is  used  to  begin  CFB  operations.  A CFB  IV  is  placed  in  the 
DES  input  block  so  that  any  zero  fill  is  1 eft- just i f ied . 
This  64-bit  input  block  is  encrypted  through  a DES  device 
producing  a 64-bit,  pseudorandom  output  block.  The  DES  dev- 
ice is  operated  once  for  each  new  k-bit  (0  < k < 65)  charac- 
ter to  be  encrypted.  In  all  CFB  implementations,  the  left- 
most or  most  significant  k bits  of  the  DES  output  block  are 
used  in  the  exclusive-OR  operation.  These  output  block 
bits,  (01 , 02 , . . . , Ok ) , are  exclusive-ORed  with  the 
corresponding  k bits  of  data,  (D1,D2, . . . ,Dk)  to  form  the  ci- 
pher text:  (Cl ,C2, . . . ,Ck)  = (D1©01 , D2®02 , . . . , Dk®0k ) . In 
order  to  define  this  operation  when  the  length  of  the  plain 
text  character  to  be  encrypted  is  less  than  k bits,  zeros 
are  concatenated  to  the  left  hand  side  or  most  significant 
bits  of  the  plain  text.  Obviously,  users  must  agree  on  the 
representation  of  a plain  text  "character."  Bits  (Ok+1, 
0k+2,  . . . , 064)  of  the  DES  output  block  are  discarded. 
The  k bits  of  cipher  text  are  fed  back  to  the  LSB  positions 
of  the  DES  input  (I)  block  such  that: 

Bits  at  time  t > Bits  at  (t+1) 


I [k+1] 

> 

11 

I [k+2] 

• 

> 

• 

12 

• 

• 

164 

• 

• 

> 

• 

I [64-k] 

Cl 

> 

I [6  4-  ( k-1 ) ] 

C 2 

• 

> 

• 

I [64- ( k — 2 ) ] 

• 

• 

Ck 

• 

• 

• 

164 

\ 
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FIGURE  5:  K BITS  CIPHER  FEEDBACK  (CFB)  MODE 
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As  an  example,  consider  an  8-bit  CFB  implementation  and 
an  IV  with  forty-eight  pseudorandom  bits.  After  each  en- 
cryption, the  eight  cipher  bits  are  fed  back  into  the  DES 
input  block  such  that: 

AFTER 
ENCRYP- 
TION # THE  DES  INPUT  BLOCK  CONTAINS: 


0 (0,0, 0,0, 0,0, 0,0, 0,0, 0,0, 0,0, 0,0, 1,2, ,47,48) 

1 (0,0, 0,0, 0,0, 0,0, 1,2, ,47, 48, Cl, C2, ,C8) 

2 (1,2, ,47, 48, Cl, C2, ,C8,C9,C10, ,C16) 

After  the  eighth  encryption  the  entire  64-bit  IV  will  have 
been  shifted  out  of  the  DES  input  block.  Let  the  first 
character  be  a seven-bit  ASCII  character  plus  parity  denoted 
by  (P , b7 ,b6 , . . . ,bl ) . If  the  first  DES  output  block  is 
(01 , 02 , . . . , 064 ) , then  the  first  cipher  text  character  will 
be  (C1,C2, . . . ,C7,C8)  = (P®01 , B70O2 , . . . , b2©07 , bl©08 ) . Appen- 
dix A contains  a detailed  example  of  8-bit  CFB  operations 
and  Appendix  C has  a flow  chart  diagramming  the  basic  CFB 
procedures . 

The  security  of  a CFB  system  depends,  among  other 
things,  upon  the  management  of  CFB  IVs.  Some  recommenda- 
tions in  this  area  are  provided  in  Appendix  E.. 

To  protect  against  undetected  bit  manipulation  of  the 
last  k-bit  cipher  text  character  using  k-bit  CFB,  the  last 
character  to  be  encrypted  must  consist  of  error  detection, 
terminal  flag,  or  permanently  fixed  data. 

In  CFB,  each  cipher  bit  is  a function  of  one  bit  of  the 
DES  output  block  and  one  bit  of  plain  text.  Therefore,  any 
bits  of  a CFB  cipher  text  character  may  be  changed  without 
affecting  the  decryption  of  other  bits  within  the  same  char- 
acter so  long  as  the  bits  which  are  fed  back  at  the  encrypt- 
ing and  decrypting  stations  are  the  same.  An  application  of 
this  characteristic  would  be  the  deletion  of  encrypted  pari- 
ty bits  and  their  replacement  with  a new  parity  computed  on 
the  cipher  text.  This  feature  is  useful  in  networks  which 
are  sensitive  to  parity  checks. 

Bit  errors  within  one  CFB  cipher  text  character  will 
affect  not  only  the  decryption  of  the  garbled  cipher  text 
but  also  the  decryption  of  succeeding  characters  until  the 
bit  errors  are  flushed  out  of  the  CFB  input  block.  The 
first  affected  plain  text  character  will  be  garbled  in  ex- 
actly those  places  where  the  cipher  text  character  is  in  er- 
ror. Succeeding  plain  text  characters  will  experience  an 
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average  error  rate  of  about  fifty  percent  until  all  errors 
have  been  shifted  out  of  the  DES  input  block.  Assuming  no 
additional  errors  are  encountered  during  this  time,  the  CFB 
decryption  device  will  then  automatically  regain  crypto- 
graphic synchronization.  This  characteristic  is  sometimes 
referred  to  as  a limited  error  extension  or  a self- 
synchronizing capability  — depending  upon  the  point  of 
view.  In  the  previous  8-bit  CFB  example,  errors  in  one  ci- 
pher text  character  affect  the  decryption  of  nine  charac- 
ters. A detailed  example  of  cipher  text  errors  in  CFB 
operations  may  be  found  in  Appendix  B. 


If  k-bit  character  boundaries  are  lost  during  decryp- 
tion, then  cryptographic  synchronization  will  be  lost  until 
a cryptographic  restart  (new  IV)  is  initiated  or  until  after 
character  boundaries  have  been  re-established.  In  the 
latter  case,  if  64  (mod  k)  = 0,  then  resynchronization  will 
occur  automatically  after  64/k  characters  with  proper  boun- 
dary definition  have  entered  the  DES  input  block;  otherwise, 
one  additional  character  will  be  required. 


The  encryptio 
invoke  the  DES  key 
both  processes  wil 


duces  a 

partial 

i 

if  E [K , 

(PI , P2 

i • 

(Cl , C2 , . . 

. , Cn) ] 

= 

represent 

k-bit 

Pi 

dorandom) 

charac 

te 

n and  decryption  processes  in  the  CFB 
schedule  vectors  in  the  same  order, 

1 use  {KS1,  KS2 , . . . , KS16}.  This 
nvolution  under  the  same  IV  and  key; 
..,Pn)]  = (Cl ,C2, . . . ,Cn) , then 

(P1,N1,N2, . . . ,N  (n-1 ) ) where  P,  C, 
a in  text,  cipher  text,  and  nonsense  ( 
rs,  respectively. 


mode 
i . e . , 
pro- 

i . e . , 

E (K  , 

and  hi 
pseu- 
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6.  A DES  AUTHENICATION-ONLY  MODE 


The  DES  algorithm  may  also  be  used  for  the  authentica- 
tion of  plain  text.  This  technique  is  useful  in  applica- 
tions which  require  maintaining  data  integrity  but  do  not 
require  that  the  plain  text  be  protected  from  disclosure. 
The  authentication-only  mode  protects  against  bit  manipula- 
tion within  the  data  as  well  as  the  insertion  and  deletion 
of  messages,  and  the  replay  of  a previously  valid  message. 
In  the  authentication-only  mode,  two  message  authentication 
codes  (MACs)  are  independently  computed  on  the  same  data 
one  at  the  data  source  and  one  at  the  data  destination. 
This  data  consists  of  a unique  message  identifier  (MID)  and 
the  text  to  be  protected.  If  the  data  source  MAC  and  the 
data  destination  MAC  are  in  agreement  and  if  the  MID  agrees 
with  its  expected  value,  then  the  plain  text  is  accepted  as 
authentic  at  the  data  destination.  The  authentication-only 
format  is  depicted  in  figure  #6.  The  MAC  must  be  generated 
using  either  the  CFB  or  the  CBC  mode. 

FIGURE  6: 

AUTHENTICATION-ONLY  FORMAT 


FIELD  1 

FIELD  2 

FIELD  3 

MID 

PLAIN 

TEXT 

MAC 

In  order  to  commence  CFB  authent 
unique  message  identifier  is  used  as 
tor.  The  plain  text  is  encrypted  in 
except  that  the  cipher  text  is  not 
crypting  device.  After  the  encryptio 
text  unit  (character  or  block) , the 
back  into  the  DES  input  block  as  if  a 
were  to  be  encrypted.  Then  the  DES 
more  time  and  the  left-most  or  most  s 
< k < 65)  in  the  next  DES  output  bloc 


ication  operations,  a 
an  initialization  vec- 
the  normal  CFB  manner 
communicated  to  the  de- 
n of  the  final  plain 
last  cipher  text  is  fed 
nother  plain  text  unit 
device  is  operated  one 
ignificant  k bits  (0 
k are  used  as  the  MAC. 


To  begin  CBC  authentication  operations,  the  MID  is 
again  used  as  an  initialization  vector.  However,  for  this 
application  the  first  plain  text  block  to  be  encrypted  is 
the  all  zero  block,  i.e.,  the  MID  alone  defines  the  first 
DES  input  block.  Thereafter,  the  plain  text  is  encrypted  in 
the  normal  CBC  manner.  The  CBC  MAC  is  defined  to  be  the 
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left-most  or  most  significant  k bits  of  the  DES 
block  resulting  from  encrypting  the  final  plain  text 
Messages  which  terminate  in  partial  data  blocks  are 
padded  on  the  right  (LSB)  with  zeros. 


output 
block „ 
to  be 


The  MID , plain  text,  and  the  MAC  are  conveyed  to  the 
data  destination;  the  intermediate  cipher  text  is  not 
transmitted.  The  probability  that  one  could  randomly  select 
a correct  k-bit  MAC  is  l/(2**k).  For  most  applications, 
MACS  of  at  least  24  bits  are  strongly  recommended.  Two  ex- 
amples of  the  authentication-only  mode  may  be  found  in  Ap- 
pendix D. 


In  general,  the  MID  is  a unique  and  deterministic  mes- 
sage identifier  within  a cryptographic  period;  the  MID 
should  also  be  varied  across  cryptographic  periods.  The 
value  of  the  MID  will  be  checked  by  the  recipient  of  an 
authentication-only  message  to  verify  that  messages  have  not 
been  deleted,  inserted,  or  replayed.  The  uniqueness  within 
a cryptographic  period  may  be  achieved  through  the  use  of  a 
one-up  binary  counter.  MID  values  are  not  to  be  repeated 
within  the  same  cryptographic  period;  this  constraint  also 
applies  to  multiuser  environments  under  control  of  a common 
cryptographic  key.  The  MID  variation  across  cryptographic 
periods  may  be  satisfied  by  selecting  a random  or  pseudoran- 
dom starting  value  from  the  total  range  of  a "within'"' 
counter.  In  using  this  approach  it  is  recommended  that  only 
a small  (say  <<  5%)  segment  of  the  MID’s  total  range  be  used 
within  any  key  period.  Another  acceptable  technique  would 
be  to  form  the  MID  by  concatenating  a unique  message  iden- 
tifier together  with  a unique  identifier  for  each  crypto- 
graphic period,  e.g.,  a second  one-up  binary  counter  could 
be  used  for  this  purpose.  r 


A MID  is  not  encrypted.  However,  whenever  MID  values 
are  exchanged  through  an  unsecured  channel  to  establish  or 
re-establish  MID  synchronization,  then  these  values  must  be 
protected.  This  protection  includes  the  detection  of  bit  al- 
teration, the  insertion  of  bogus  messages,  and  the  replay  or 
deletion  of  valid  messages. 
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8.  DEFINITIONS,  ABBREVIATIONS,  AND  CONVENTIONS 


AUTHENTICATION-ONLY:  A DES  technique  for 
tegrity  of  plain  text  which  does  not  have 
from  disclosure;  see  section  6. 


protecting  the  in- 
to be  protected 


BLOCK:  A binary  vector  consisting  of  sixty-four  bits  num- 

bered from  the  left  as  1,  2,  ...  , 64. 


CBC:  Cipher 
CFB:  Cipher 
CIPHER  TEXT: 


block  chaining;  see  section  4. 
feedback;  see  section  5. 
Encrypted  data. 


CRYPTOGRAPHIC  KEY:  The  56  random  bits  of  the  cryptographic 
variable  which  are  used  to  govern  the  DES  device.  Also  sim- 
ply called  KEY. 

CRYPTOGRAPHIC  PERIOD:  That  period  of  DES  operation  during 
which  a unique  data-encrypt ing  key  is  used  between  two  or 
more  cryptographic  facilities.  Keys  from  different  crypto- 
graphic periods  are  independent.  Synonym:  Key  period. 


CRYPTOGRAPHIC  VARIABLE:  The  64  bit  vector  containing  the 

56-bit  DES  key  and  its  eight  associated  parity  bits. 
Synonym:  Key  Variable. 

DECRYPTION:  The  process  of  changing  cipher  text  into  plain 

text.  Verb:  DECRYPT. 

DES:  Data  Encryption  Standard;  specified  in  [FIPS  46] . 

DES  DEVICE:  The  hardware  used  to  implement  the  DES  algo- 

rithm. This  is  usually  an  integrated  circuit  chip  which  is 
sometimes  referred  to  as  a "crypto-engine." 

DES  INPUT  BLOCK:  A 64-bit  data  vector  that  is  entered  into 

the  DES  device. 

DES  OUTPUT  BLOCK:  A 64-bit  vector  that  is  the  final  result 

of  a DES  device. 

ECB:  Electronic  codebook  mode;  see  section  3. 


-18- 


ENCRYPTION:  A process  of  changing  plain  text  into  cipher 

text.  Verb:  ENCRYPT. 


EXCLUSIVE-OR  OPERATION:  the 
without  carry  of  binary 
represented  by  a circled  + . 


bit-by-bit  modulo-2  addition 
numbers.  This  operation  is 


INITIALIZATION  VECTOR  (IV):  A 64-bit  vector  used  to  help 
form  the  initial  DES  input  block  for  the  CFB  and  CBC  modes 
of  operation;  a 64-bit  cryptographic  synchronization  vector. 


KEY:  Cryptographic  key;  the  56  random  bits  of 

graphic  variable. 


the 


crypto- 


KEY  SCHEDULE  FUNCTION:  A logical  unit  within  the  DES  algo- 
rithm which  generates  a different  48-bit  vector  from  the 
64-bit  cryptographic  variable  for  each  of  the  sixteen  rounds 
of  the  DES  process. 

LEAST  SIGNIFICANT  BIT  (LSB)  : The  right-most  bit  of  a binary 
row  vector.  Synonym:  Low  order  bit. 


MAC:  Message  authentication  code;  see  section  6. 

MESSAGE  (MSG):  A generic  term  used  to  describe  a logical 
data  entity.  In  general  it  is  an  ambiguous  term;  there- 
fore, for  specific  applications  it  should  be  precisely  de- 
fined . 


MID:  A message  identifier  used  with  the  authentication-only 

mode . 

MOST  SIGNIFICANT  BIT  (MSB) : The  left-most  bit  of  a binary 

row  vector.  Synonym:  High  order  bit. 

OCTET:  A group  of  eight  binary  digits  numbered  from  left  to 

right:  1, 2, ... ,8. 

PLAIN  TEXT:  Decrypted  data  or  data  to  be  encrypted. 

PSEUDORANDOM  BINARY  PROCESS:  A deterministic  technique  for 

producing  a sequence  of  binary  digits  which  satisfy  the  sta- 
tistical properties  of  a random  bit  stream. 


APPENDIX  A 

SAMPLE  DES  ENCRYPTIONS  AND  DECRYPTIONS 
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DES  MODES  OF  OPERATION 


AN  EXAMPLE  OF  THE  EIGHT-BIT  CIPHER-TEXT  FEEDBACK  (CFB ) MODE 
The  8-bit  CFB  mode  in  the  encrypt  state  has  been  selected. 


Cryptographic  Key 
Initialization  Vector 


0123456789a be def 
1 234567890abcdef 


The  plain  text  is  the  ASCII  code  for  "Now  is  the." 

These  seven-bit  characters  are  written  in  hexadecimal 
notation  (0 , b7 , b6 , . . . , bl ) . The  © represents  bit-by-bit, 
modulo-2  addition. 
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DES  MODES  OF  OPERATION 


AN 

The 


EXAMPLE  OF  THE 
1-bit  CFB  mode 


ONE-BIT  CIPHER-TEXT  FEEDBACK  (CFB)  MODE 
in  the  encrypt  state  has  been  selected. 


Cryptographic  Key 
Initialization  Vector 


0123456789a be def 
1234567890abcdef 


The  plain  text  is  the  ASCII  code  for  "Now." 

These  seven-bit  characters  are  written  in  binary  as 
(0 ,b7 ,b6 , . . . , bl ) . The  DES  input  and  output  blocks  are 
written  in  hexadecimal  notation.  The  © represents 
bit-by-bit,  modulo-2  addition. 

Note:  A draft,  ANSI  X3S3.8,  link  encryption  standard 

requires  that  the  bits  of  an  ASCII  character  be  processed 
in  the  reverse  order  of  this  example  for  1-bit  CFB. 

This  draft  data  communications  standard  is  designed  for 
the  transmission  of  ASCII  characters  in  the  standard, 
serial-by-bit  manner  ( bl , b2 , . . . , b7 ) . 
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DES  MODES  OF  OPERATION 

CIPHER  TEXT  ERRORS  AND  THE  CFB  MODE 

The  8-bit  CFB  mode  in  the  decrypt  state  has  been  selected. 

The  plain  text  is  the  ASCII  code  for  "Now  is  the  time  for." 
These  seven-bit  characters  are  written  in  hexadecimal 
notation  (0 , b7 , b6 , . . . , bl ) . The  cipher  text  character  at 
time  #4  has  been  changed  to  "c4"  instead  of  the  correct 
value  "c3."  In  the  general  k-bit  CFB  mode,  bit  errors 
within  a k-bit  character  will  affect  the  decryption  of  one 
character  in  those  bit  positions  corresponding  to  the  errors. 
Succeeding  characters  will  experience  an  error  probability 
of  approximately  fifty  percent  until  the  garbles  have  been 
flushed  from  the  DES  input  block.  In  8-bit  CFB,  errors 
within  a character  affect  the  decryption  of  nine  cipher 
text  characters  before  cryptographic  synchronization  is 
re-established. 

The  ® represents  bit-by-bit,  modulo-2  addition. 


Cryptographic  Key  = 

Initialization  Vector  = 

TIME  DES  INPUT  BLOCK 

= 0 1234 567 89abcdef 
= 1234567890abcdef 

DES  OUTPUT  BLOCK 

C 

® 

0 

= P 

1 

1234567890a be def 

3494ccf2bda243a6 

7a 

© 

34 

= 4 e 

2 

34567890abcdef 7a 

bd914d9 386658541 

d2 

® 

bd 

= 6f 

3 

5678 90 abed ef7ad2 

adaf8c45c53flf92 

da 

© 

ad 

= 77 

ERROR  IN 

NEXT  CIPHER 

4 

7890abcdef 7ad2da 

e3a  3acc8  6c4  29d97 

c4 

© 

e3 

= 27 

5 

90abcdef 7ad2dac4 

23ae7d3f645f7daa 

35 

© 

23 

= 16 

6 

abcdef7ad2dac4  3 5 

aca8467513ba93ae 

80 

© 

ac 

= 2c 

7 

cdef7ad2dac43580 

383b374dc55ba511 

8a 

© 

38 

= b2 

8 

ef7ad2dac4 35808a 

fbebef 188 f 6ceab0 

e6 

© 

fb 

= Id 

9 

7 ad 2d ac 4 35808a e6 

307a55324bc7d098 

27 

© 

30 

= 17 

10 

d2dac435808ae627 

a3179850047a27f9 

08 

© 

a3 

= ab 

11 

dac435808ae62708 

0d0eaf64dc7e5ccb 

Of 

© 

Od 

= 02 

12 

c435808ae627080f 

5cc2582fc7ca06f 3 

6d 

© 

5c 

= 31 

AUTORESYNC  ON 

NEXT  CIPHER 

13 

35808ae627080f 6d 

953d  f bl 2d8a4cf 4 

f c 

© 

95 

= 69 

14 

808ae627080f 6dfc 

dc365b7e426e726e 

bl 

© 

dc 

= 6d 

15 

8ae627080f 6dfcbl 

57cb75f 386 e7 6662 

32 

© 

57 

= 65 

16 

e627080f6dfcbl32 

68bbd6da0  37c3ebl 

48 

© 

68 

= 20 

17 

27080f6dfcbl3248 

71e50a54bd8clf Id 

17 

© 

71 

= 66 

18 

080f 6dfcbl324817 

b91c8fd54dld45f 5 

d6 

© 

b9 

= 6f 

19 

Of 6dfcbl324817d6 

009b705bb2ef 50d6 

72 

© 

00 

= 72 
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APPENDIX  C 

CBC  AND  CFB  FLOW  CHARTS 
(FOR  ILLUSTRATIVE  PURPOSES  ONLY) 
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FIGURE  C.1:  CIPHER  BLOCK  CHAINING  (CBC)  OPERATIONS 


LEGEND: 

K=  CRYPTOGRAPHIC  KEY 
IV=  INITIALIZATION  VECTOR 
li=  i-TH  DES  INPUT  BLOCK 
Oi  = i-TH  DES  OUTPUT  BLOCK 
Pi  = i-TH  PLAIN  TEXT  BLOCK 
Ci  = i-TH  CIPHER  TEXT  BLOCK 
©=  EXCLUSIVE-OR 


HOUSEKEEPING: 
LOAD  KEY,  K 
CHECK  PARITY 
TEST  DEVICE 
LOAD  IV 
i = 0 


ENCRYPT 


OPERATE  DES 
ALGORITHM  TO 
OBTAIN  CIPHER  Oi=Ci 

J 

1'  < 

i=i+l 

1 

© 


L_ 

/ INPUT 

/ CIPHER  TEXT  j 

L_ 

OPERATE  DES 
ALGORITHM  TO 
GENERATE  Oi 

DECRYPT 
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FIGURE  C.2:  CIPHER  FEEDBACK  (CFB)  OPERATIONS 


LEGEND: 

K=  CRYPTOGRAPHIC  KEY 
IV=  INITIALIZATION  VECTOR 
li=  i-TH  DES  INPUT  BLOCK 
Oi=  i-TH  DES  OUTPUT  BLOCK 
Pi=  i-TH  PLAIN  TEXT  CHARACTER 
Ci  = i-TH  CIPHER  TEXT  CHARACTER 
©=  EXCLUSIVE-OR 


HOUSEKEEPING: 
LOAD  KEY,  K, 
CHECK  PARITY, 
TEST  DEVICE 
LOAD  ll  = IV, 
i=0 


T 


i = i+l 


OPERATE  DES 
ALGORITHM 
TO  GENERATE  Oi 


COMPUTE 
CIPHER  TEXT: 

Ci=Pi©Oi 


COMPUTE 
PLAIN  TEXT: 

Pi=  Ci©Oi 


FEED  BACK  Ci  TO 
LOW  ORDER  BITS  OF 
li  REGISTER 
FORMING  l(i+1) 
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APPENDIX  D 

EXAMPLES  OF  AUTHENTICATION-ONLY  MODE 
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DES  MODES  OF  OPERATION 

AN  EXAMPLE  OF  THE  AUTHENTICATION-ONLY  MODE  USING  8-BIT  CFB 

The  8-bit  CFB  mode  in  the  encrypt  state  has  been  selected. 
For  this  example  the  MID  structure  consists  of  a 32-bit 
date-time  code  concatenated  with  a 32-bit,  one-up  binary 
counter.  The  date-time  code  designates  the  year  (0), 
day  of  the  year  (003),  hour  of  the  day  (10  or  1000  hours), 
and  minutes  (15).  This  value  is  used  to  uniquely  identify 
the  cryptographic  period.  The  binary  counter  has  been 
initialized  to  00000001;  it  is  incremented  by  ”1"  for  each 
message  to  be  authenticated  within  the  same  DES  key  period. 
A 24-bit  MAC  was  selected  for  this  example. 

The  plain  text  is  the  ASCII  code  for  "Now  is  the  time  for." 
These  seven-bit  characters  are  written  in  hexadecimal 
notation  (0 ,b7 ,b6 , . . . ,bl ) . The  © represents  bit-by-bit, 
modulo-2  addition. 


Cryptographic  Key  = 0123456789abcdef 
Initialization  Vector  = 0003101500000001 


IME 

DES  INPUT  BLOCK 

DES  OUTPUT  BLOCK 

P 

© 

0 

= C 

1 

0003101500000001 

973c7b54e5bdd4da 

4e 

© 

97 

= d9 

2 

03101500000001 d9 

bde39e43bf3f 2258 

6f 

© 

bd 

= d2 

3 

101500000001 d9d2 

1998d46fe4175d64 

77 

© 

19 

= 6 e 

4 

1 500000001 d9d26e 

5ddf40f 5124917fa 

20 

© 

5d 

= 7d 

5 

00000001 d9d26e7d 

09342c9870b4fe85 

69 

© 

09 

= 60 

6 

000001d9d26e7d60 

f fedd60c4e72814e 

73 

© 

ff 

= 8 c 

7 

0001d9d26e7d608c 

3f873ff6e2e4cd39 

20 

© 

3f 

= If 

8 

01d9d26e7d608clf 

724f0467a5f ffdeb  * 

74 

© 

72 

= 06 

9 

d9d26e7d608clf06 

9ecl876e54493a52 

68 

© 

9e 

= f 6 

10 

d26e7d608clf 06f 6 

01a5d888c472bcdd 

65 

© 

01 

= 64 

11 

6e7d608clf 06f 664 

0b6f90e412246e54 

20 

© 

0b 

= 2b 

12 

7d608clf 06f 6642b 

992db95a018d921f 

74 

© 

99 

= ed 

13 

608  cl f 06f  664  2bed 

95c9b701a4681991 

69 

© 

95 

= f c 

14 

8 cl f 06f  664  2bed  f c 

b2e4f 4318882ca59 

6d 

© 

b2 

= df 

15 

If 06f 6642bedfcdf 

6dfff2d406ea81de 

65 

© 

6d 

= 08 

16 

06f 6642bedfcdf 08 

43148a850bd66dc8 

20 

© 

43 

= 63 

17 

f 6642bedfcdf0863 

a26e7ae5815d7b60 

66 

© 

a2 

= c4 

18 

642bedf cdf 0863c4 

57d8cc8f837534b9 

6f 

© 

57 

= 38 

19 

2 bed  fcdf086  3c4  38 

560cccbc949bb350 

72 

© 

56 

= 24 

20 

edfcdf0863c43824 

63113f72e8a09991 

= > MAC 

= 63113f 

MESSAGE  FORMAT: 

MID  TEXT  MAC 

0003101500000001 4e6f77 20697 3 207468652074 696d6 520666f 7 26311 3f 

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 
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The  security  of  a CFB  or  CBC  implementation  depends, 
inter  alia,  upon  cryptographic  synchronization  procedures. 
For  these  modes  of  operation,  this  means  proper  management 
of  the  DES  initialization  vectors  (IVs) . IV  management  en- 
compasses the  generation,  distribution,  protection,  usage, 
and  disposal  of  initialization  vectors. 

At  least  one  standard  (*)  currently  under  development 
is  specifying  security  requirements  for  CFB  and  CBC  IVs  in 
telecommunication  environments.  It  is  conceivable  that  a 
special  application  standard  may  need  to  tailor  IV  manage- 
ment to  fit  a particular  set  of  application  requirements  in 
order  to  make  the  standard  reasonably  efficient  as  well  as 
effective. 

This  standard  on  the  modes  of  operation  does  not  man- 
date specific  techniques  in  IV  management.  This  standard 
specifies  only  those  requirements  which  are  essential  for 
unambiguously  describing  the  mechanics  needed  to  implement 
the  modes  of  operation. 

The  following  suggestions  are  recommended  as  prelim- 
inary guidelines  which  may  be  used  until  the  publication  of 
official  guideline(s)  or  standard(s)  in  the  area  of  IV 
management . 


CBC  IVs: 
single 
period, 
sur  e . 
pe  r iods 
(-64)  . 
will 

CFB  IVs : CFB  IVs  consist  of  64 
DES  additive  stream  ciphers, 
change  as  frequently  as  possibl 
additive  stream  to  protect  th 
not  repeat  within  a specific  cr 
different  cryptographic  perio 
than  2 to  the  (-48).  As  a coro 
tain  a maximum  of  sixteen  fi 
pseudorandom  process  is  suffici 
CFB  IVs  do  not  need  to  be  pro 
they  may  be  transmitted  unencr 
channel . 


c . 


binary 

digits. 

As 

with  other 

it  is 

desirable  that 

CFB 

IVs 

e in  order  to 

insu 

re  a 

un  i 

que 

e plain 

text. 

CFB 

IVs 

sho 

uld 

yptographic  pe 

r iod 

or 

ac  r 

OSS 

ds  with 

a probabil 

ity 

g rea 

ter 

llary , 

CFB  IVs 

may 

only  c 

on- 

xed  bits.  A 48-bi 

t ra 

ndom 

or 

ent  to 

satisfy 

th  i 

s pr 

oper 

ty. 

tected 

from  di 

sclo 

sure 

, i • 

0 • / 

ypted 

through 

an 

un 

secu 

red 

The  CBC  IV  consists  of  sixty-four  binary  digits.  A 
IV  may  be  used  throughout  an  entire  CBC  cryptographic 
however,  this  IV  should  be  protected  from  disclo- 
CBC  IVs  should  not  be  repeated  across  cryptographic 
(same  key)  with  a probability  greater  than  2 to  the 
A 64-bit  random  or  pseudorandom  generation  technique 
satisfy  this  char acter i st i 


* Proposed  Federal  Standard  1027;  Telecommunications: 
Security  Requirements  for  Use  of  the  Data  Encryption 
Standard;  4 September  1979,  18  pages. 
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